In response, Kaspersky Lab researcher Santiago Pontiroli led an investigation into how adversaries were exploiting so many gamers. After three months of research, Pontiroli and his team discovered the existence of a new type of malware developed specifically to hack Steam accounts. Dubbed Steam Stealer, the malware can bypass the Steam client’s built-in multifactor authentication (MFA) protocols, thus enabling adversaries with the access necessary to compromise the integrity of a player’s account.

Cyber threats to online video games aren’t entirely new, but they are severely underreported. What’s ironic is that the video game industry is as big, if not bigger, than any industry in the world. Of the 1.2 billion video game players worldwide, nearly 700 million of them play online. For the video game industry, providing entertainment for one seventh of the world’s populace equates to revenues of more than $86.8 billion annually. This is nearly double the amount of the film industry, yet the Sony Pictures hack was covered for months. For financially motivated hackers, and fraudsters, there is perhaps no bigger opportunity to profit than the video game industry provides.

The Vulnerability of Online Video Games

As more money comes into online games, cyber criminals are shifting their efforts to exploiting games. Why the change in behavior? For one reason, the tools and techniques once used to hack online banks and Internet retailers are now, more than ever, directly applicable to breaking into game worlds. Techniques such as hijacking player accounts and draining real-money value from the game are reminiscent of the methods that once plagued the financial services industry. Second, the video game industry hasn’t yet fully come to terms with the reality that cyber attacks are a systemic problem, leaving thousands of games exposed to front-end, backend and the most damaging, in-game attacks.

In-video game attacks occur when a player’s account is hijacked using readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and other hacks. Once inside, cyber criminals can steal player credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the ‘grey market,’ an unauthorized, but not necessarily illegal place that is used to sell virtual items and currency for real money.

The ‘grey market’ is perhaps the greatest unintended consequence of video games moving online. The demand for virtual items is so large that people ranging from U.S. college students working for beer money to Chinese children sitting at Internet cafes for 20 hours a day, are working to amass virtual items through regular game play and sell them for real money. This practice, known as ‘gold farming,’ is so widespread and lucrative that the World Bank wrote a report estimating that it generated $3 billion a year for people in developing countries.

To keep up with today’s demand for virtual items, gold farmers now automate their operations by running hundreds or thousands of bots to speed up the accumulation process. These actions have flooded games’ online economies, losing publishers as much as 40 percent of in-game revenue per month and irreversible reputational damage.

What’s the Fix?

To date, online video game cybersecurity is focused on protecting and monitoring the login and monetary transaction processes. This approach is similar to those taken by banks to eliminate online fraud, a method so ineffective that it cost them billions of dollars over time. Online games today also rely on MFA to protect the login process, although this safeguard is easily defeated by widely available keylogging and screen-scrape technology. Device reputation technology, which verifies that an IP address and device are known for a user, is also commonly used by game publishers, but is susceptible to man-in-the-middle hacks.

Additionally, some publishers have built internal solutions in which games are monitored for gold farmers, bots, and spammers. Many have also developed and implemented rules-based systems that define specific patterns of bad activity based on forensics and after-the-fact investigations. But rules-based security is deeply flawed, as most cybersecurity practitioners know.

As it stands now, either gamers will need to put pressure on publishers or a massive, crippling attack will need to occur for the video game industry to ‘get smart’ on cybersecurity. One thing is for certain: cyber criminals will not stop targeting an industry as lucrative as video games, unless someone makes them.

Matthew Cook is a veteran security and risk professional and a lifelong gamer. He is currently the co-founder of Panopticon Laboratories, the first and only cybersecurity company for video game publishers. View Full Bio

Nowadays, with the help of advanced technology and popularity, the online video gaming industry has expanded rapidly over these years. There are a variety of video games that have been launched last year which has increased the popularity and growth of this industry. There are many online gaming sites like Instant Gaming, FIFA Coin, etc., are also available which have become extremely popular, and gives very high quality of games.

Yeah, a big attack, exspecially if it manages to catch the notce of the mainstream press, would be a terrible thing, both for players as well as publishers. Thanks for calling out the additional vectors you've noticed; we've definiely seen evidence of some of these as well. Appreciate it!

Let's hope the answer isn't a "massive crippling attack" and we can get some attention before then! I agree that video games (and mobile games) are definitely a new and fruitful frontier for fraudsters. A few additional attack techniques we've observed at DataVisor in addition to the ones you list above are: renting out proxy servers to bypass reputation-based detection systems and simulate presences in different locations, virtual currency arbitrage, and criminals acting as in-app purchase brokers. The list keeps growing and I agree we need to shout "rules-based security is deeply flawed" from the rooftops. If game publishers don't start paying attention now, they will pay deeply from their own pockets.

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.

** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of st...

** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.